[OE-core] [PATCH] bind: Whitelist CVE-2019-6470
akuster808
akuster808 at gmail.com
Sun Nov 17 16:14:57 UTC 2019
On 11/15/19 1:46 PM, Adrian Bunk wrote:
> On Thu, Nov 14, 2019 at 07:18:28AM -0800, akuster808 wrote:
>>
>> On 11/14/19 4:51 AM, Adrian Bunk wrote:
>>> On Thu, Nov 14, 2019 at 12:04:40PM +0000, Ross Burton wrote:
>>>> On 13/11/2019 08:19, Adrian Bunk wrote:
>>>>> +# Affects: Builds of dhcpd versions prior to version 4.4.1 when using BIND versions 9.11.2 or later
>>>>> +CVE_CHECK_WHITELIST += "CVE-2019-6470"
>>>> Can you be a bit more explicit about why this is whitelisted?
>>> Something like
>>> BIND >= 9.11.2 need dhcpd >= 4.4.1, don't report it here since
>>> dhcpd is already recent enough.
>> Actual. checking isc dhcp sources, it appears the fix is sitting in
>> master and has not been merged to any of the stable branches. I have not
>> had the time to unpack and check in an OE env ti validate that.
>>
>> Have you done that?
> At what commit are you looking?
https://source.isc.org/cgi-bin/gitweb.cgi?p=dhcp.git;a=commit;h=abacf8ad0d8844685e5cd76645a34ef2b8da3253
An like I said "it appears" and I alway verify with what sources get
unpacked. I finally got around to it doing that this morning and the
dhcp does have this fix.
-armin
>
> rt46719 was merged in 2017, actually before 4.4.0.
>
>> - Armin
> cu
> Adrian
>
More information about the Openembedded-core
mailing list